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Technical Field 

This invention relates to arrangements for detecting fraudulent use of mobile stations in a mobile telecom- 
munications network. 

5 

Problem 

Mobile radio systems for permitting customers calling from mobile stations such as vehicular stations 
mounted in automobiles, portable stations of medium weight which may be transported readily, or small lioht- 

ic weight, hand held personal communication stations are becoming increasingly prevalent. Such systems use 
the principles of cellular technology to allow the same frequencies of a common allocated radio bandwidth to 
be reused in separated local areas or cells of a broader region. Each cell is served by a base transceiver station 
comprising a group of local transceivers connected to a common antenna. The base station systems, each com- 
prising a controller and one or more transceiver stations are interconnected via a switching system, a mobile 

15 switching center, which is also connected to the public switched telephone network. Such cellular systems are 
now entering a second generatton characterized by digital radio communications and a different set of stan- 
dards such as the European Global Systems for Mobile Communications (GSM) standard, promulgated by the 
Special Mobile Group (SMG). 

Since mobile stations are not connected by any wire or optic fiber directly to a switching center, it is nec- 

26 essary for the mobile station to transmit its identity to the network in order to receive services. A mechanism 
has been defined in GSM to detect mobile stations fraudulently attempting to impersonate another mobile sta- 
tion. An imposter will not pass authentication if the authentication key, which exists on the user's Subscriber 
Identity Module (SIM), is not known by t he impersonator. A particularly serious problem occurs if a dealer frau- 
dulent ly supplies a second customer with the same SIM as the first customer. Since the second customer will 

2t have the correct authentication key in the SIM. such fraud is especially difficult to delect and presents a prob- 
lem. 

A problem of the pnor art therefore is that there is no satisfactory arrangement for detecting the presence 
of two or more mobile stations during the duplicated SIMs. 

36 Solution 

The above problem is solved and an advance is made over the prior art in accordance with the principles 
of this invention wherein each of a class of state transitions is examined to see if the particular state transition 
is likely, in view of a recorded prior state of the mobile station. Whenever a mobile station changes state to 

3t one of the specified states, the previous one of the specified states for that mobile station is examined and if 
the transition is unlikely, a record is made for the mobile telecommunications network administration. These 
records are an indication of possible fraud, and can be used advantageously to warn the mobile systems op- 
erator and the customer registered for a particular identity of the fraudulent presence of another customer hav- 
ing the same SIM identity. The particular SIM identity can then be rejected and the customer can be provided 

46 with a new SIM. 

The states, transitions to which are examined and recorded, include the following: attached mobile station, 
detached mobile station, page response, location update, service request, and cancel location (a messaoe 
from an HLR to a VLR to indicate that the mobile has moved outside the area served by the VLR). Unlikely 
events include: the transition to: an attach, when the mobile station is already attached: a detach when the 
mobile station is already detached; the receipt of multiple page responses or a single page request of one mo- 
bile: the receipt of a location update or a service request while another update procedure is in prooress: the 
receipt of a service request when a mobile station is detached: receipt of a location update requestor durino 
an attach or detach procedure; or a cancel location message for a mobile station received when a call or a 
location update is active. 

66 

Brief Description of the Drawing 

FIG. 1 is a block diagram of the basic GSM model of a mobile switching center and its direct and indirect 
interfaces; 

55 F, G. 2 illustrates how this model is implemented in one exemplary embodiment; 

FIG. 3 illustrates t he various signaling protocols used for signaling messages in mobile telecommunications 
systems; 

FIG. 4 illustrates the interconnections among mobile stations, land-based stations, base station systems, 
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the public switched telephone network, and a mobile; ^^eor data interconnections. 

(WGSM): -stablishina a mobile to land call. 

FIGS 9-13 illustrate the process ol estabi.sn ng 
F1G 14 illustrates the release o1 a mob.le call. 

F ,6S. 15-18 illustrate the handover P">« ss e exchanges; 

cir e 1Q 21 illustrate the handover process in terms, u 
F.GS. 22-28 illustrate an incoming call to a mobile stat.on. 

^*^-^ liEl ^ . a i hp C lobal Systems for Mobile 

F.GV.sab.ocKdlagramoUherelerencemo™ 

ComrSnioatlons (GSM). ^^£SS^^^ * ^ * T£ in the HLR 

has a GSM standard specified interface. Briefly, the ^pu ^p cus tomer. The data stored .n the HLR 

2 that contains the Visitor Location 04 - V ^ mobile statlon s present 

The VLR contains current data tor ^ T^^^.^q^q^J status, and security parameters. A remote VLR 106 
o, most recently Known location area, the stat.on 

connected via a G interlace is also shown authenticalion and encryption Parameters to ensure that 

The authentication center (AUC) 108 PJ°" oe bBe cus ,omer and provides data for en 

» mobile customer cannot falsely assume the .dentity of ano trie ^^.^ and g serv . 

The BSS 112 comprises a base station controUer (BSC) 1 m£ communicate via radio con- 

human interface to the MS. ord ^ ran g es o( certi f led ^^^^Z 

The equipment identity register (El R) 124 ,e a. observation or barred from ^Tte 

and ranoes of or individual equipment identrficat onsr mobile swilch ing center. The EIR 
equipment identification information ^^^I^L, tor use in the public networK and is not on 
is used to verify that the equipment number of 

blocks is to be implemented. It is the purpu 

these standards in an advantageous manner GSM mobile communication system The mo- 

FlG. 2 illustrates the system ^ch.tecture Jom J |inks 206 usjng opt ional.y •n")^.^ 8 ' 
bile nation (MS) 202 communicates w.th the BSS 204 °™ the MS a nd the BSS. The MS 

^io communications for the voice or data. ^^^SC) 210. The BSS and MS exchange control 
communicates via the BSS with the mob.le sw ^.ng cen i > . protoco| (SS?) 

messaoes with the mobile switch center us.ng the CCITT «J 8 J ^ ^ integrated into the MSC 

""EE arrangement, the HLR M™™^^^ another network entity, i. obtains them 
^SZ^XSZ to the entity that current, holds this information. 
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The MSC communicates with a billing center 220 for accumulating billing records using the CCITT X.25 
protocol and also communicates with an Operations and Maintenance Center (OMC) 222 using the CCITT X.25 
protocols. The OMC communicates with BSSs via the MSC using SS7. In one implementation, the OMC com- 
municates with a customer administration system 224 using a standard RS-232 link. In addition, maintenance 

5 messages between the BSS and OMC are transmitted using SS7 with the Base Station System Operation 
Maintenance and Administration Part (BSSOMAP) protocol. 

Signaling System 7 is described in detail in A. R. Modarressi et al.: "Signaling System No. 7: A Tutorial." 
IEEE Communications Ma gazine . July 1990, pages 19-35. The GSM standard protocols are specified in the 
GSM standard specifications, which at this time is in version 3.S. 

io FIG. 3 is a diagram of the protocols used in different types of communications, according to the GSM stan- 

dard. Most of these protocols are those of SS7. Of the seven layers of the protocol according to the Interna- 
tional Standards Organization (ISO) layered message protocol, only the top (application layer) and the bottom 
three layers (Network. Data and Physical) are shown on the left. Four types of messages are shown: The first 
double column includes t hose from switching system to switching system for land-based trunks including either 

76 a telephone user part (TUP) or an ISDN user part (ISUP) (both SS7 standards) for the application layer. The 
second column is for messages among MSCs. VLR, HLR and EIR which messages use the SS7 standard 
Transaction Capabilities <TC), Transaction Capabilities Application Part (TCAP) and Mobile Application Part 
(MAP) sublayers of the application layer (MAP is enhanced with GSM standards). When these messages are 
strictly internal to the MSC. these protocols are simplified and messages transmitted directly or via protocol 
2C handlers between the responsible processors. The third column is for communications between the mobile 
switching center and a BSS. The final column is for communications between the mobile switching center and 
mobile station. 

The three bottom sublayers of the protocol (layer 1 . the physical layer, layer 2. the date laver, and sublayer 
3. the message transport part (MTP) sublayer, a sublayer of the network layer) are identical for all of these 
2t types of communications and are in accordance with the SS7 Message Transport Part (MTP) standards of 
the CCITT Q.701 - O.707 standard. The Signaling Connection Control Part (SCCP), a sublayer of the network 
layer, also a CCITT standard Q.711-Q.714, is connection oriented for the MSC/MS communications, is con- 
nectionless for the second column, and may be either for the MSC/BSS communications. SCCP is available 
for some ISUP applications. For the first column (switch to switch) the TUP and ISUP application layer com- 
30 municates directly with MTP 3 sublayer of the network layer. 

Communications between the MSC and either the BSS or the mobile station use a Radio Subsystem (Base 
Station System) Application Part (BSSAP) protocol. For communications between the mobile switching center 
and the BSS. layer 7 uses the protocols of the BSSAP including a Base Station System Management Appli- 
cation Part(BSSMAP). The communications between the mobile switching center (MSC) and the mobile sta- 
3t tion are performed in the protocols of BSSAP including a D.rect Transfer Application Part (DTAP). BSSAP, in- 
cluding BSSMAP and DTAP are GSM standards. 

FIG. 4 is a basic block diagram of a mobile switching center 400 (switch), as implemented using AT&T s 
5ESS® Switch. The switch, described in detail in The AT&T Technical Journal , vol. 64, no. 6, part 2, JulyyAugust 
1985, pages 1305-1564, (Journal) includes an administrative module 402. a communication module 404, and 
40 a group of switching modules 406-41 2. The switching modules applicable in the GSM network are of four types; 
a wireless switching module (WSM) 406 for communicat ing wit h BSSs. and also optionally communicating with 
t he public switched telephone network (PSTN); switching modules (SM) 408 for communicatina wit h t he PSTN- 
a wireless global switch module (WGSM) 410 for serving the signaling communication needs for controlling 
calls involving mobile stations; and a PSTN Global Switch Module (PSTN GSM) 412 used if PSTN trunks are 
At of ISUP or TUP types, i.e., use SS7 for signaling to the PSTN. The PSTN GSM processes ISUP or TUP pro- 
tocols and can optionally also be connected to PSTN trunks. 

The functions of the administrative module (AM), communications module (CM) and switching module 
(SM). in relation to t he PSTN are essentially as described in the referenced Journal. The purpose of the WGSM. 
as described hereinafter, is to simplify the signaling communications between BSSs and the WSM serving 
calls for the BSS. and between the MS and the WSM. The PSTN GSM is for controlling common channel sio- 
naling between the MSC and the PSTN. The PSTN GSM is connected by message delivery paths to protocol 
handlers in the SMs. 

The signaling architecture of the mobile switching center is significantly simplified by having sionalino mes- 
sages go through a common set of data switches and protocol handlers in a wireless global switching module 
(WGSM). Physically, the wireless global switching module is connected via nailed up channels (message de- 
livery paths) switched through the time multiplexed switch of the communications module to each of the wire- 
less switching modules. These are 64 kilobit channels, the same as t he PCM voice channels of t he 5 ESS switch 
communications module. Over another nailed up physical channel connecting the WGSM with a WSM mes- 
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tocol handler by decoding the local reference number since that quantity contains the identification of the pro- 
tocol handler (PH) upon which the connection resides. P 

Whenever a SCCP connection goes into an active (stable) state, this connection information is shared 
with the nex, ascending PH ,n the PSU community (wherein the first PH is the "next ascending" PH for the 

s last PH). Th.s next ascending" PH is known as a "backup PH." When a PH fails, a spare PH is switched into 
P°s.«;°n and thereby connected to the sources and destinations of messages for that PH The "next as 
cend.ng PH transmits to the spare PH a lis, of reference numbers of stable connections from the failed PH 
the nex ascending- PH w.ll continue to control these connections as long as they are active. The spare PH 
assigns loca reference numbers lor new connections that have the same logical PH number as the connec- 

rc ,ons formerly served by the failed PH. When the spare PH receives a message for an active connection it 

r H ',l ,h , TT 81 meSS39e '° ,he "' neXt ascendin °" PH which has the information tor proc- 

essing that message, and which therefore can maintain the virtual connection. In this way in the event ilat a 
PH fa-ls. messages received on existing SCCP connections for the failed PH are automatically routed to the 

wit ZTccp " , P T' """" 3 PH ,aHS - ,he baCkuP PH Wi " —a,ica.,y restart timers assorted 
wth he SCCP connections from this backup information. In this way. stable connections will remain stable 

p" C S pm h K° Se COnneC,i ° nS - Ever ^ PH - that sets U P SCCP connections, has a dedicated back- 

up PH. S.nce a spare PH then assumes the logical role and name of the failed PH and accepts new SCCP 

2 c PH S Wh e ^ThTf e at^p r H qUeS,S T PK Wi " 9radUa " y redUCC ,he temp ° rar ^ OVer,oad O" «»* backup 
?c PH. When the failed PH .s eventually restored to service, it then takes the role of a spare PH 

While in this embodiment, the "next ascending" PH is used as a backup, any other predetermined backup 

be r used e Tn e sl S d U Th a 1 ^ I" 6 *' aSCendm9 sk ' ppi " 9 1 " a system with an even numbe'r of active PHs) <£S 
be used instead. The term predetermined adjacent" is used to describe any predetermined backup PH selec- 
ts As discussed above, when the spare PH assumes the role of the failed PH, the backup PH will report the 
present status of all its active connections to the spare PH. The spare PH will no, reuse resources such 2 
connection identifier numbers, for aCive connections still running on the backup PH when setting up new 

are Z I < n " C ° n,inUe '° a " active connections untiMhey 

are rele c sed, as well as servicing new SCCP connections for itself 

30 When a mobile station is first powered up within a specified mobile network, the international mobile sub- 

scnber ,dent rf ,ca.,on (IMS,) is used by the mobile station to identify itself. This IMS. is used to route a request 
for VLR data to the WSM that contains that data. Each protocol handler of the WGSM contains a tabte tha 
stores the IMS.-WSM map. the table being created from data supplied by the WSMs. .n ordenc atw HLR 
and where possible, associated VLR records to be stored in any WSM. this look-up table has one entry per 

m ^ c T UP ° f re9istration ? rocess - the SM t^t stores the VLR data will associate a Tem- 
porary Mobile Subscriber Identification (TMSI) with a mobile station. The TMSI. whose value while at least in 
nf a » r hl a w<?M ,' S °' he 7 iSe constric 'ed according to the GSMstandard. is specially encoded with the identity 

n n ZZ < " 9 m ° dUle haVin9 Wire ' eSS SOf ^' are) that Con,a,ns ,he VLR s ° that accessino the 

proper WSM for incoming messages when VLR data is required is simplified if the TMSI is available Random- 
« ness of the TMSI ,s maintained hy randomizing three of its four octets. Excep, on initial mobile station power 

ZZ^Ta f ° V f' ^ ™ S ' Wi " n0rma " y ^ US6d <0r a " BSSAP «™"- c tions " Whan a moNle station 
,n.t a,es a transaction (such as a call or loca.ion update), the SCCP connection data base that stores infor- 

TZ ZILT, ,he , transaC,,on - a,so s,ore£ information to identify the WSM that contains VLR data as well a< 
he WSM t ha. contains the trunk connected to t he BSS. This is used for t he routing of all subsequent messaoe* 
« for this connection, which contain no TMSI. message. 

- mo^. 3 " T? P ' e ° f ° A Perati ° n ° f ,h£ Si9naUn9 SyS,em - COnsider 3 d8ta connection between a BSS and 
a mobile switching center. Assume that the connection is initiated in the BSS. An initial messaoe would first 

and a WGSM Th! < " !? If ^ ^ BSS OVer 3 Si9 " a,in9 dala link l09 ' cal| V interconnecting the BSS 
and a WGSM. The protocol handler, in the w.reless global switch module, which terminates the sionaling data 
hnk passes he message from MTP to a SCCP control program. This SCCP program stripsoff the M'Tp header 

Tx^n 7r, aQe - Dependin9 on ,he con,en,s of the m «sage. a connection is established or released 
or the transfer of data ,s required. In this example, connection establishment is reouested and a SCCP con- 
nection (i.e s virtual circuit) is temporarily set up between the protocol handler in the WGSM end of the sio- 
nalmg data link and the protocol handler in , he BSS. The SCCP control program informs a base station system 
application part (BSSAP) (also referred to as a radio subsystem application part in FIG. 3) of the reques fo" 

fhe Went! I Tl ffT ' BSSAP the " ParSeS the BSSAP ™ Ssaae -d ob^ins 

he identity of the destination w.reless switch module. In the case, for example, of a query requTrino VLR data 

this destination WSM is identified by the international mobile subscriber identity (IMSI) field co Sine UnThe 
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. . IKys c, tn infiex a look-up table to find the WSM where 
BSSAP message. The BSSAP control process ° '^^^ithiS the WGSM from the pro.oco. 

the VLR data base for this I MSI is to be .^f^ZTZ^er^ terminates a message delivery path to 
handier terminating the signaling oata link to protocc ^ndter t ^ ^ desUnal|on 

,he identified WSM. This protocol handler hen s nds the mess J e P „ of tnat WSM . A BSSAP control 

cedure tor sending a message from a wireless f^p layer of the message that is tag- 

0 transmitting wireless switch ^^^^TSS connection. This process then forwards the me, 
oed with the local reference number identifying the * vu lra nsmhs the message over a 

"sage to a protocol handler in the ^^^^^L. modu.e to a first protocol handler in the 
nailed up message delivery pat .going through the c ° m ™ |QCa| re(erence nurnbe r of the message 

wireless global switch modu.e. Th.s f irst P m ^**^™™„ minates , he SCCP connection. (This .ocal ref- 
,5 and uses this to determine ^^^^T^^ ttablishing the SCCP connection.) This protocol 

?o earlier.) a . nprmjts essentially all of the SS7 protocol handling lunct.ons 

Advantageous^ this type of arrangement invo1ving tne switching modu.e processor 

,o be carried out in the packet •«^«^™^$£* to process their messages independent of the 
of the WGSM) and allows the transm.ttmg and rece.v.ns I WSM P ^ 8s ( hg nand|ef 

destination. Effectively, the set ol protocol ^ 75 aclive and 5 spare protocol handlers.) 

„ of all signaling protocols. f^-'^Z s^ 7 headers to the application data of the mes- 
The WGSM assembles and d.sassembles the S gnahng y accept |he message£ 

SS7 . mP «aoes via the messaoe switch of the communication module 

The switching modules also communica e me ^S es v- a th mess ages that are exchanged 

35 as is done in a land-based 5ESS switch^ .or example, a switch.ng module 

in order to set up a connection through the c ^™^™ ™ . land . lo . mobi ,e or mobile-to-land ca.l and the 

— • — - — ■* - sent in th,£ 

way. , nu :.«. horne MSC i.e.. the MSC that contains the HLR for that 

Whenever an MS is in the reg.on serve by it* - e comm(jn rfata „ stored only Q nce for the two 
MS the base VLR is attached to the HLR in sucn a w^y 

registers: the VLR and HLR are then stored in the sje — ^ ^ ^ ^ actjve ^ 

When the mobile ^^^•^ 1 ^^ i n* Bt mobile station in the VLR WSM. When a call is 
state, only a base version of the VLR s — jQn a sepgrate dynamic ve rsion of part 

,5 originated by a mobile stat.on or a caU ^ received for t ^ Thjs copy Qf ^ yLR |S „ nked 

of the VLR is stored and maintained ,n the WSM hat con staljon mQves 

,o the terminal process in that WSM that controls the mob le station e ^ ^ VLR is transferred 

and the call is handed over to a caH and i s lfnkld to a terminal process for serving that call 

to , he new WSM serving the mobile station for t^t call ^ MS locations is ch anged only by 

56 in that WSM. Note that the data m the b8S « the specification of a ca.l forwarding number 

administrative actions or such administrator modifies the HLR which 

and are not copied into the dynamic ^ LR ^^^ on]r acceS s to the base VLR lor trouble shooting 
in turn updates the base VLR: the administrator has read on.y 
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The location of the mobile station is no updated in e *»rnM procedures are carried 

area is the area that is paged when a call terminating to an MS ,s received. 
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All .ncom.ng calls first check the HLR. This is because the HLR is fixed and the location of the HLR record 
is t.ed to t he called number (directory number) ol a mobile station. The HLR has stored within it the information 
necessary to find t he base VLR: this information includes an identification of the mobile switching center that 
contains the base VLR. For this detailed description, this MSC is the same as the MSC of the HLR and the 
HLR and VLR are stored as one block so that if either is located the other is also located All administrative 
changes of data associated with a mobile station are entered first into the HLR which then sends messaoe* 
for entering the corresponding change in the base VLR. Customer initiated chanoes such as the prescription 
of a different call forwarding number are forwarded initially to the base VLR which does not initially make any 
change m .is record but forwards the request to the HLR which makes the necessary change and generated 
a message for updating the base VLR. The HLR is accessible via the mobile station directory number or the 
International Mobile Subscriber Identification (IMSI). The VLR is accessible via the IMSI or the TMSI- the HLR 
can also access the VLR by a special ISDN address. ISDN addresses are maintained for VLRs HLRs MSCs 
and EIRs according to the GSM specification. 

The VLR is attached to the HLR so that common data need only be stored once. This arrangement is sat- 
.sfactory as long as the mobile station is in the region served by the MSC; consideration of the storage of the 
VLR when the mobile station leaves that region is beyond the scope of this description. 

The combined HLR and VLR is stored in the wireless switching modules of the MSC. Each switching mod- 
ule stores records for a range of mobile directory numbers and each module has a range translation to select 
a module based on the directory number. Since the HLR/VLR must also be accessible via the IMSI a table is 
stored in each protocol handler of the WGSM to identify the module that has stored the VLR/HLR for each 
IMSI served by the MSC. No translation is required for access via the TMSI since that contains a subfield for 
identifying the VLR/HLR modules. 

FIG. 5 is a block diagram illustrating the physical signaling paths between base stations and wireless 
swrtchmg modules. The base stations 502 are connected through permanent virtual circuits which physically 
pass through a WSM 504 serving the base station and through the communications module 506 toa protocol 
handler in the WGSM 508. The protocol handler receives messages in the SS7 protocol used to communicate 
with the base station and transmits the message to the correct WSM; the digital facility interface connected 
to the BSS transmits the messages to a protocol handler of the WGSM which is connected by a switchable 
phys.cal nailed up data channel to the destination WSM, where it terminates on a protocol handler which is 
connected to t he switching module processor of t he WSM. Advantageously, t he WGSM terminates a standard 
protocol and allows any WSM to control any calls from the base stations that have trunks to the WSM since 
the processor of the switching module (SMP) for controlling the call need not be the SMPfor controlling a spe 
crfic connection between a BSS trunk and a channel to a CM or to another output of the WSM 

FIG. 6 shows the logical signaling system. The base station system 602 communicates with the WGSM 
604 which then delivers its message via the communications module 506 to the appropriate WSM 610 

As shown in FIG. 7, the VLR data for a particular mobile switching center is spread out over the WSMc 
702 704 ,n that center ln ,he Particular example, when WSM 702 needs VLR information from WSM 704~ 
it requests the information via the call processing inter-module data links switched through the message switch 
of the communications modules of the 5ESS switch. 

FIG. 8 illustrates the modules involved in a mobile-to-land call. The base station system 802 nearest the 
mobile is connected by a voice path to a wireless switching module (WSM) 804 which is connectable through 
the communication module (CM) to another switching module for connection via the public switched telephone 
network (PSTN) 808 to the called customer. The PSTN global switching module (GSM) 810 is used for con- 
trolling SS7 signaling to the public switched telephone network. The WSM 812 that contains the base VLR 
data is connected via virtual data links to the WSM 804 controlling the mobile station leg of the call The SM 
806 and WSM 804 are connected by a virtual data link in order to coordinate the activities of the terminal proc- 
ess handling the call in each of these modules. The WGSM 814 communicates all data to and from the BSS 
and transmits it as necessary to either the WSM 804 or the VLR-WSM 812. 

Consistent with the principles of operation of the 5ESS switch for land- based calls, the administrative mod- 
ule 508 (FIG. 5) is used for selecting outgoing PSTN trunks on mobile originated calls and for selecting time 
slots for voice paths between switching modules. In addition, the administrative module is used for selecting 
a trunk between the mobile switching center and a base station controller. The base station controller select* 
a path between the incoming trunk to the base station controller and the base transceiver station As previously 
indicated, this path may be a land-based trunk. The trunks between the BSSs and the mobile switching center 
are one way outgoing from the mobile switching center. This makes the finding of an idle trunk from the cen- 
tralized administrative module efficient and allows the trunks to be fully utilized: whet her the call is originated 
by a mobile station or is terminated to a mobile station, the trunk will be hunted for and allocated by the ad- 
ministrative module which is a part of the mobile switching center. 
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message 1 306 to the mobile station to connect alerting tone. (This is supplied locally within the mobile station ) 
Sometime later, the public switched telephone network sends message 1308 to the SM that the called 
customer has answered. The SM sends a message 1310 to the call control WSM to indicate that an end-to- 
end talking path has been established. The call control WSM so informs the mobile station (message 1312) 
The mobile station responds with an acknowledgment (message 1314) and the call is now active 

Next, the disconnect process will be discussed (FIG. 14). It will be assumed that the mobile disconnects 
first. The mob.le sends a disconnect message 1402 to the WSM whose terminal process is controlling the mo- 

6 n ?" d Z JL WSM tranSmitS 3 releaS6 m6SSage 1404 ,0the mobi,e and a ™*»°^ release request 

1405 to the SM connected to the public switched telephone network. The mobile then transmits a release com- 
plete message 1406 to the WSM. The SM releases the call and transmits a network release messaoe 1410 
to the public : switched telephone network. The SM also transmits a message 1412 to the administrative module 
L r t e cc! t ,rU H '° PSTN ,he WSM S6ndS messa Ses 1414 to administrative module for releasing 
the BSS trunk and 1416 for making a billing record of the call if necessary. (Several billing records are sent 
in one message so that not every call generates a billing message from an SM to the AM.) The WSM also sends 
a release message 1418 to the VLR-WSM to update the status of the mobile station of the call The VLR-WSM 
sends a clear command 1420 to the WGSM for clearing the connection information for messages if the call 
is the last transaction for the mobile station. (If other transactions, such as the deliverv ol a message waitino 
f*?e» meSSa9e - are re ^ ired . «he connection is kept up; the VLR remains involved in call control but not the 
WSM attached to the BSS for controlling the call.) The WGSM sends a clear command to the BSS to release 
the radio channel and rece.ves an acknowledgment 1424 from the BSS that the radio channel has been re- 
BSS ) S6ndS 3 C,ear com ™nd 1426to the mobile station to release the transmitting channel. The 
WGSM then sends a clear complete message 1428 to the VLR-WSM to confirm that the mobile station is now 

■ GIG 35 60 . 

The handover procedure will now be described. Since a mobile station may travel during the course of a 
call, ,t could easily get outside the effective range of the base transceiver stations of one BSS and into the 
effective range of another. Under these circumstances, it is important that the mobile station be retuned to a 
frequency of a transceiver of the second BSS and that the call be continued via that transceiver The process 
will first be descnbed in terms of the connections, then in terms of the message exchanges 

FIGS. 15-18 illustrate the process of a handover to a base transceiver station in another BSS served bv 
he same MSG. The request is originally made from the BSS 1502 serving the call in response to a messaoe 
from the mobile station 1504 reporting the signal strengths of the serving base transceiver station and nearby 
candidate base transceiver stations. At this time the call is served from BSS 1502 and wireless switching mod- 
ule 1506. The wireless switch module 1506 selects a new base transceiver station which is, in this example 

S^!„H R 1 S« T i h n ad h mi "!, Strative m0dule selects a frunk 1512 < F 'G- 1 6) between wireless switching mod-' 
uie 1512 and BSS 1510. The administrative module also selects a network time slot 1532 between the switch- 
ing module 1530 (the pivot module) connected to the land-based station via the public switched telephone net- 
work 1540 and the wireless switching module 1520. BSS 1502 then sends a messaoe to the mobile station 
to retune to the transceiver system of BSS 1510. At the completion of retune (FIG. 17).~the connection through 
HVn'ZT ln,erChan 9 e in ,he P iv °» module is switched to the connection 1532 to wireless switch module 
1520. At this point, the land-based station is connected through the public switched telephone network 1540 
through pivot switch module 1530, and through WSM 1520 and BSS 1510 to the mobile station 1504 Finally' 
the old resources, namely the connection 1542 between the pivot module 1530 and WSM 1506 as well as the 

?502 e (F.G n i b 8r een 1506 1502 re ' eaSed 35 radi ° reS ° UrCeS <0r Ca " ' n BSS 

The handover process will now be described (FIGS. 19-21) in terms of the appropriate message exchang- 
es. According to the standards discussed previously, a mobile station performs the task of measurino the 
strength of signals received from different BSSs in its vicinity. The mobile station periodically sends the meas- 
urements message 1902 (FIG. 19) to the base station currently serving that station. If the BSS detects that 

he signal from the BSS currently serving that mobile station is below the threshold of signal strength required 
for reliable communications, the BSS sends a message 1904 to the WGSM of the mobile switchino center in- 
cluding an ordered set of candidate base transceiver stations for handling the call further. The WGSM delivers 
the message 1904 to the WSM currently handling the call (the old WSM), indicating that a handover is required 
and passing the list of candidate base transceiver stations. The old WSM after consulting the terminal process 
or the mobile station to determine that handover may proceed, passes this information yia message 1906 to 

he administrative module for the allocation of a trunk to the first candidate BSS. The administrative module 
transmits a message 1908 to the WSM connected to the selected trunk of the BSS (the new WSM) and the 
new WSM transmits a message 1910 to the switching module connected to the land path (the pivot SM) to 
set up a second time slot path for use with the new connection from the public switched telephone network 
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scope of this Detailed Description.) This MSC contains the base HLR information for the mobile unit. 

The MSC consults the HLR for that mobile unit in the appropriate wireless switching module (action 2206), 
and obtains information as to which MSC is currently serving the mobile unit (action 2208). If the mobile unit 
is currently roaming and outside the range of the home MSC. t he MSC reroutes the call to the MSC that serves 
5 the mobile unit. In this example, the mobile station is controlled by the home MSC. If the mobile station has 
requested that calls be forwarded to another number, this will also be reported to the MSC for further proc- 
essing. either by the MSC if the call forwarding number is served by the home MSC, or for further processing 
by another MSC or the public switched telephone network, if the call forwarded number is not served by the 
home MSC. 

io . In this case, assume that the mobile station has not requested call forwarding and is being served by the 
home MSC. The MSC determines the WSM which contains the VLR of the mobile station, which VLR is inte- 
grated in the MSC for this embodiment. The MSC queries that VLR (action 2210). The VLR determines the 
most recent location area of the mobile station, in order to have the mobile station paged by the BSSs in the 
most recent location area. The VLR responds with the identity of the location area for performinq the Daae 

75 (action 2212). y h y 

The MSC then sends a message 2302 (FIG. 23) to the BSSs serving the location area requesting the page. 
The BSSs send out paging signals (action 2304) and the mobile station responds to this request (action 2306) 
via one of the BSS, with a request to assign a control channel to this mobile station. That BSS transmits to 
t he mobile station a channel assignment 2308 for the dedicated control channel to be used. The mobile station 
20 tunes to that control channel and delivers its page response 2310 over that control channel. 

Under the principles of the GSM standard for mobile communications, a mobile unit is tuned to a single 
paging channel. If the mobile unit is turned on, it tunes to the paging channel of the base transceiver station 
with the strongest signal. This is done by taking signal strength measurements of the broadcast channels of 
several nearby base transceiver stations and selecting t he system with the strongest signal. The mobile station 
26 t hen tunes to the common control channel, paging subchannel of t hat system. If a mobile unit has moved across 
location area boundaries while the mobile station is powered on but hot in the connected state, then the mobile 
station will send a location update message to t he MSC which is used to update t he VLR for that mobile station. 
The mobile station recognizes this transition because its internal record of a location area differs from the lo- 
cation area signal received from the base transceiver station via the broadcast control channel. 
36 When a mobile is originally paged, it is paged by all the transceiver stations in the location area where the 

MS has last registered. This paging message is transmitted from the protocol handlers of the wireless Global 
switching module to all the appropriate base station controllers. Within the WGSM, a paging request messaoe 
received from a switching module contains the location area identifier (LAI). This is translated to derive a series 
of point codes for the BSSs that contain Base Transceiver Stations which must broadcast the page. The PH 
35 that received the paging request message from the switching module broadcasts a message to the WGSM 
protocol handlers that also includes the identity of the mobile (the IMSI or TMSI as discussed hereinafter with 
respect to the authentication procedure), the point codes and a single logical route, effectively appended to 
each point code. The logical route is a four bit quantity used to spread the signaling traffic over the different 
signaling links to the BSSs. Each protocol handler examines the point codes and the logical route to see if it 
*c is involved (i.e., serves a signaling link that is used) in transmitting paging request messages. Each involved 
protocol handler transmits a paging request message to each of t hese BSS controllers for which that protocol 
handler is the designated source of paging messages for the point code and logical route; this paging request 
message includes a list of the BTSs in the LAI so that a BSS that includes portions of two or more LAIs can 
transmit a paging request only to the base transceiver stations serving that LAI. In an alternative version, not 
covered by the present GSM specification, the LAI is sent and the BSS translates to find the appropriate base 
transceiver station for paging. 

An alternate approach is to make s translation within the protocol handler that receives the paging request 
message from the switching module to determine which protocol handlers of the WGSM should receive a mul- 
ticast paging message that includes the point codes of the BSSs and the logical route for those BSSs involved 
in the paging, plus a list of base transceiver stations. Each of the determined recipients of this multicast mes- 
sage then translates the point codes and logical route to see if it is to transmit a paging message; if so it trans- 
mits the appropriate paging message. In this approach, the initial translation to determine which protocol han- 
dlers may be involved in the process of transmitting paging request messages to base station controllers is 
performed in the single protocol handler that initially receives the paging request message. A disadvantaoe 
of this approach is that each of the protocol handlers that makes the initial translation needs a table for storino 
the translation information. The simpler translation of the preferred embodiment is only from the LAI to point 
codes, a relatively static translation. The updating of protocol handlers to respond to trouble conditions only 
affects the tables of protocol handlers actually transmitting data to the BSSs. 
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service request by the mobile station or following a successful page of a mobile station, but is performed or, 
manly under the control of the VLR. According to the wishes of the telecommunications operator this authen- 
ticate process may be performed every time a mobile station originates or a call is terminated to a mobile 
station. In add.t.on, if the administration of the mobile switching system so desires, the authentication may 
take place whenever a location is updated for a mobile station that is in the power-on and idle state In addition 
authentication may be performed when a mobile station registers bv turning on its power 

In the case of a request for service originated by a mobile station, the mobile station sends a messaoe to 
he mobile sw.tch.ng center recording one of the requests discussed above. This message includes the IMSI 

rTrTT .m?^ S r b ^ iber ' denti,ICa,ion > or 8 ™ SI temporary Mobile Subscriber Identification). The 
choice of an IMSI or a TMSI as the primary identification mechanism is made by the system operator The 
IMSI is a permanent number which is assigned to every mobile station. The TMSI is assioned to a mobile station 
on y after an authentication, and has only local significance. If this is the first authentication request or an 
authentication request which for some reason has failed and the system administration is using TMSI identi- 
fication, then the backup IMS. is used for the purpose of authenticating the customer and assigning a new 
TMSI. The source of data used in authentication is an authentication center which in the present system * 
present m each mobile switch.ng module of the MSC. This authentication center (AUC) does not store anv data 
for each customer. The purpose of the authentication center is to generate random numbers which are used 
in conjunction w.th data in the HLR to generate authentication data. Initially, at the time when a customer sub- 
sets tor serv.ee. that customer is assigned an initial key K, . This key and a random number (RAND) supplied 
from the authent.cat.on center are acted upon by a first algorithm (A3) to generate a secondary number an 
authentication number, referred to as Signed Response (SRES). a result o. manipulating the random number 
us.ng the A3 algorithm. In addition, the random number and K, are acted upon by a second algorithm (A8) to 
generate an encryption key K,. Values of RAND. SRES and K< are requested from HLR as needed by the VLR 
In the preferred embodiment of the invention, five sets of RAND/SRES/K, are generated and stored in the VLR 
25 each time a set of calculations is made. Lh 
When the authentication is needed, the MSC sends the random number to the MS. The MS retrieves K 
from its initialization memory (which may be initialized at the time of the purchase of the mobile station) and' 
ca.cu a.es SRES and K c from the random number and the K, using algorithms A3 and A8. It then stores the 

co« 8nd S6ndS SRES ' eSU " '° ' he m ° bile Switchin 9 cen,er - The switching center 

verifies hat the SRES value calculated by the mobile station matches the SRES value that has been stored 

6 w .K . a .K previ ° US,y If the values match, this is a successful authentication and it is as- 

sumed that the two values of the key K, as stored in the MSC/VLR and in the mobile station are identical 

Note that with this arrangement, only the random number and SRES are transmitted over the air The two 
independently generated values of the encryption key, K c . each generated from the random number and each 
generated us.ng a value of K, which is also never transmitted through the air, are not transmitted over the air 
Since a separate algorithm is used for deriving K, and SRES, the fact that SRES and RAND are transmitted 
over the air does not permit an interloper to discover K<. . 

In case authentication fails, if the system administration uses TMSI. then the IMSI is sent as a backup in 
27< £ 1 T ° ne ; eason °' a ™"^ became garbled. If another authen.ication using the IMS. is attempted 
and f that authentication ,s successful, a new TMSI is sent and actions which are based on a successful au- 
thent.cation can be performed. If the system administration uses an IMS. and authentication fails or if authen- 

iTh«m«?, a " ,MSI baCkUP °' 3 ™ SI ' * S6rViCe eXCept emer S enc V — is —a.ly denied 

to thai mobile station. J 

Note that both the TMSI and the IMSI may be sen. overthe airwaves without compromising security since 
these values are useless if the K, corresponding to that IMSI is not available to a potential interloper 
*n .m^ 6 tI/qI' istrat ions may choose not to perform an authentication on every call. If this is the case and 
an IMS. or TMSI has been intercepted, then a fraudulent call may be made, or a call may be fraudulently re- 
ceived. However, rf this is a call on which authen.ication is made in an administration which chooses to au- 
thenticate some percentage of its calls, then authentication will fail and the failure of authentication is a warn- 
.ng to the administration that the particular IMSI or TMSI has been compromised 

Only a single pair of algorithms is normally used at any one time. It is possible for a system administration 

"™ ~ ™ »™ « ^ "~ <° ^ «" -biles 
It is to be understood that the above description is only of one preferred embodiment of the invention Nu- 
merous other arrangements may be devised by one skilled in the art wilhout departino from the scope of the 
invention. The invention is thus limited only as defined in the accompanying claims 
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APPENDIX A 
ACRONYMS AND ABBREVIATIONS 



AUC Authentication Center 

A M Administrative Module 

BSC Base Station Conuoller 

BSS Base Station System 

RSSAP Base Station System Application Pan 

BSSOMAP BSS Operanon Maintenance and Administration Pan 

eSSM^ Base St.no. System Management Application Pan 

BTS Base Transceiver Station 

CM Communications Module 
20 DF] . Digital Facility Interface 

DTAP Direct Transfer Application Pan 

pip Equipment Identity Register 

GSM Global Svstems for Mobile Communications 

1SDN inteerated Services Digital Network 

]SO International Standards Organization 

vti r Home Location Register 

international Mobile Equipment Identification 

2v international Mobile Subscriber Identification 

]SlJ p ISDN User Pan 

LA] Location Area Identifier 

OMC Operations and Maintenance Center 

MAP Mobile Application Pan 

mT Station (personal communication station) 

46 MSC Mobile Switching Center 

MTP Message Transport Pan 

p H Protocol Handler 

PSTN Public Switched Telephone Network 
PSTN GSM PSTN Global Switch Module 

PSU Packet Switching Unit 

RAND Random Number 
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Claims 
1 



InL^nn. te ' eCOmmunicatlons n «work. a ™t hod of detecting fraudulently identif ied mobile stations 
comprising. ' 

upon receipt of state change messages to one of a selected plurality of new mobile station states 

;,J^7hT 9eS ^r 5 ? 3 m ° bile S,ati ° n identi,ier - accessing a P re "°"* state recorded for a mobile 
station having said identifier, and e 

if a transition from said previous state to said new state is unlikely, reporting said state transition. 

2 ' l^LT^nff^ 1 Wh l r6in Said nGW S,a,6S are ° ne ° f attach and detach and wh ^ein said transition 
is one of attach while attach or detach while detach. 

3. The method of claim 1 wherein said previous state is detach and wherein said new state change messaqe 
is a connection management service request. cnange message 

4. The method of claim 1 wherein said previous state is one of an attach or a detach process in progress 
and wherein said new state change message is a connection management service request. 

5 ' Ihloe e mes,°J 0 ClSim ' T T ^ 5,3,6 * Wai ' in9 <° r ^ reSp ° nse and ^id state 

change messages are multiple page responses for the same identifier. 

6 ' LTnn™ ° f C ' aim 1 "l^T Said PreVi ° US StS,e iS ' 0CS,iOn ° pdate in P r °9 ress and -herein said state 
change message is another location update request. 

? ' S ?a^rhL h n 0 o C l 0, Cl3im 1 Wh6rein Pr6ViOUS S,a,e iS IOCa,i ° n Upd8,e in Dr °9 ress and - ha ^in said new 
state change message is a connection management service request. 

8. The method of claim 1 wherein said previous state is an active connection management transaction and 
wherein sa.d new state change message is a location update request ansact.on and 

9. The method of claim 1 wherein said previous state is an active connection management transaction and 
wherein said new state change message is a cancel location request. 

10. The method of claim 5,6,7.8 or 9 wherein said reporting step comprises the step of issuing a fradulent 
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16 



identifier report. 



?<5 



processor means operant u.. u ~ . - rf jd mobl , e station ana ior a.w».y~ ■» 

a state transition of a mobile station lor ^^.^ to recognizing that said 

trans ition from a previous state ^^^^ porting said unlikely state trans.tion and an 
unlikely, lor controlling transmission ot a data messa^ 
identifier ot said mobile station. 

« .h^rresoonsive to said recognizing tor ana- 
14 The apparatus of claim 13 wherein said processor means . .8 furthe P ^ & ^ j(jen . 

a fraudulent identifier. 
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